Windows 10 21H2 X64
COMODO Firewall v12.2.2.8012
Case 1: With default Sandbox enabled (
Fully Virtualized),
the sample makes the OS log off, means bypassed the Sandbox.
Case 2: Adding rule to Sandbox the sample in the containment setting and change the restriction level to
Partially Limited, the result is same as the above case 1, means bypassed the Sandbox.
Case 3: Adding rule to Sandbox the sample in the containment setting and change the restriction level to Limited or above, the sample can be blocked successfully.
In summary:
The default setting (Fully Virtualized) which can either be triggered automatically or by the right click context menu "running in the sandbox" can not block the operations of this sample leading to the bypass. Besides, the Partially Limited restriction also can not block the operations.
Here is the recorded video:
https://vimeo.com/692917748PM for the sample if anyone who want to test.